apiVersion: constraints.gatekeeper.sh/v1beta1
kind: D8ReadOnlyRootFilesystem
metadata:
  name: security-policy
spec:
  enforcementAction: "deny"
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
